Threat Landscape Report 2023 - A Year Review

Presentation

We are monitoring the cyber threat landscape to help the European Union institutions, bodies, offices and agencies (Union entities), detect and protect against cyber attacks. Our monitoring focuses on attacks targeting Union entities or their vicinity.

We consider a malicious activity is in the vicinity of Union entities when some of the following factors are combined: - The activity is targeting sectors of interest, entities located in the EU or in other European countries, software products or service providers known to be used by Union entities. - The activity is a large-scale campaign possibly affecting any organisation worldwide. - The activity is attributed to a well-resourced threat actor known to have targeted Union entities (we label it a Top Threat Actor).

We name malicious activities of interest (MAIs) the attacks targeting Union entities or their vicinity.

In 2023, we analysed 602 MAIs. For each MAI, we focus on the following key characteristics: - victimology information (targeted sectors, countries, or software products) - tactics, techniques and procedures (TTPs) - malware strains or tools - exploited vulnerabilities - attribution - indicators of compromise (IoCs) and detection rules.

While this analysis is essential to help Union entities detect threats and protect against them, it also provides us with a solid basis to identify patterns and trends in the threat landscape. This document presents a selection of notable characteristics of the 2023 threat landscape.

Key findings

• We noticed 80 threat actors active against Union entities or their vicinity, with critical exposure to 18, high exposure to 17, medium exposure to 21 and low exposure to 24. The motive of these threat actors was, in descending order of importance, cyberespionage, hacktivism, cybercrime or information operations.

• When it was possible to determine their origin, and based on information from reliable sources, we noticed that threat actors active against Union entities or their vicinity were linked mainly with two countries: People's Republic of China (hereafter China) and the Russian Federation (hereafter Russia). However, we also noticed a diversification in the origin of cyber attacks and the role played by private sector offensive actors (PSOAs).

• We noticed threat actors targeting 104 software products in 241 distinct malicious activities of interest. These targeting took different forms including exploitation of internet-facing vulnerable software products, supply-chain attacks leveraging trojanised software products, fake version of software products, abuse of public repositories used for programming languages, misuse by threat actors, or other forms of exploitation after initial access.

• There were significant attacks against products in various categories, including networking (Fortinet, Cisco or Citrix products for example), development tools and IDEs (for example JetBrains or Python libraries), security (such as 1Password or LastPass password managers), content management or collaboration tools (WordPress, Altassian Confluence for example), and cloud services (such as Azure or JumpCloud).

• Spearphishing remained the predominant initial access method for state-sponsored and cybercrime groups seeking to infiltrate target networks. We have analysed 177 such attacks, that we found notable. We observed that a number of adversaries used specific lures, related to EU affairs, in their attempts to deceive users in Union entities.

• We tracked cyber attacks that we think were targeting particular sectors. Given the high number of Union entities and the diversity of EU policies, the 25 sectors that we are monitoring are varied in nature. We noticed that, beside the public administration sector, 13 of these sectors were targeted by at least 10 attacks in 2023. The most targeted sectors of interest for us were, in descending order, diplomacy, defence, transport, finance, health, energy, technology, justice, telecommications, research, education, fundametal rights, and space.

• In 2023, ransomware remained the predominant cybercrime activity, globally. However, we didn't detect any significant ransomware breach affecting Union entities. In Europe, according to information from open sources and data leak sites (DLS), we noticed activity by at least 55 ransomware operations and a total of 906 victims. One ransomware operation, Lockbit, accounted for 25% of the total cases.